[HN Gopher] FBI Palantir glitch allowed unauthorized access to p...
___________________________________________________________________
FBI Palantir glitch allowed unauthorized access to private data
Author : grej
Score : 184 points
Date : 2021-08-26 15:49 UTC (7 hours ago)
(HTM) web link (nypost.com)
(TXT) w3m dump (nypost.com)
| Threeve303 wrote:
| The government believes it can create a surveillance state and at
| the same time retain control over the data created by its civil
| rights violations. Also, if the company wouldn't exist without
| government funding either directly or indirectly then the third
| party doctrine should not apply.
| A4ET8a8uTh0 wrote:
| Tbh, this may end up our only saving grace when it comes to
| setting up a panopticon: incompetence and basic human nature.
| clarkmoody wrote:
| Need a few more major leaks of private information of
| politicians and regulators.
|
| And of course we have the nightmare scenario in Afghanistan
| with a US database falling into the hands of the Taliban.
| Hoping that only "the right people" have access is the worst
| form of assurance against abuse.
| abecedarius wrote:
| https://en.wikipedia.org/wiki/Office_of_Personnel_Managemen
| t...
|
| Hard to overstate this one. So more leaks is not, by
| itself, enough to make changes happen.
| queuebert wrote:
| Is this why some insiders recently dumped a bunch of PLTR?
| [deleted]
| londons_explore wrote:
| The real "fix" for this issue will be to adjust the logging
| rentention policies to 24 hours.
|
| Then nobody can prove who/what/why data was illegally accessed.
|
| And if some judge forces you to turn over those 24 hours worth of
| logs, you fix the ACL's and respond to the judge tomorrow, when
| the logs show nothing unwanted.
| mandevil wrote:
| A) Judges generally don't take kindly to be played for fools.
| Do this and you make a judge very very angry, which is not good
| for whatever you want the judge to do.
|
| B) The FBI doesn't keep logs of who accessed what because a
| judge wants it. They keep logs on who accessed what because
| they want to know who leaked documents to reporters. Something
| like the Fincen Files leak:
| https://en.wikipedia.org/wiki/FinCEN_Files is investigated by
| figuring out everyone who opened the files in question.
|
| The FBI has even more important information than this, in
| particular the identities of confidential informants and
| undercover agents. Those cases are actually more complex
| because they are highly protected- with good reason, if someone
| unauthorized accesses this data it can get people killed- but
| desperately need to deconflict: there have been cases where a
| FBI office in City A was using a undercover agent to try and
| trap drug smugglers in City B, while a confidential informant
| in City B was trying to trap gun runners in City A, and no
| actual criminals were involved.
| 01100011 wrote:
| I keep seeing folks hype Palantir, usually to promote the stock,
| and I keep wondering what is so special about what is essentially
| a software design services firm/body shop. Is there something I'm
| missing?
| babesh wrote:
| Because most other tech companies (except a few of the very
| biggest ones) won't touch that business with a 10 foot pole.
| They have all that business for themselves. Fat profits for
| tech that doesn't have to be awesome.
| jasonhoch wrote:
| Palantir responded in a statement to TheStreet.com: "There was no
| glitch in the software. Our platform has robust access and
| security controls. The customer also has rigorous protocols
| established to protect search warrant returns, which, in this
| case, the end user did not follow."
|
| Source: https://www.thestreet.com/investing/palantir-shares-data-
| acc...
| TechBro8615 wrote:
| Ah, the famous "Cambridge Analytica Cop-Out," invented by
| Facebook but perfected as an art by blameless multinational
| congolomerates.
| LeifCarrotson wrote:
| If you can gain unauthorized access by simply choosing not to
| follow a protocol that says you don't have access, there aren't
| really any access controls in the software at all.
| SevenSigs wrote:
| Ive seen videos of Palantir's software in action and it
| doesnt appear to be very sofisticated
| TaupeRanger wrote:
| No - the FBI didn't use the access controls correctly, that's
| the point. If they were used correctly, the unauthorized
| access wouldn't have happened.
| addingnumbers wrote:
| They didn't use the controls at all. To Palantir, inaction
| or omission indicate there should be zero controls.
| dewey wrote:
| It sounds more like the customer should set something to
| private but chose not to. Just like if you set your S3 bucket
| to public you wouldn't blame Amazon for not keeping your data
| private.
| eli wrote:
| It's better now, but Amazon absolutely deserves blame for
| historically making it extremely easy to accidentally make
| S3 buckets or files within buckets public.
| pestaa wrote:
| Cutlery manufacturers absolutely deserve blame for
| historically making it extremely easy to accidentally cut
| your fingers with their knives.
| omegaworks wrote:
| If you sell cutlery without a handle and expect your end
| users to simply wrap it in a towel before using it maybe
| you should share some of the blame when your users hurt
| themselves.
| weird-eye-issue wrote:
| I might be in the minority but I never found the old UI
| to be confusing. Public buckets were never the default
| and it was pretty clear when you were making the change.
| It's good they are making it more dummy proof but I'm not
| sure it is fair to say they deserve blame
|
| As a sidenote I actually find all the new warnings and
| stuff annoying (but I'm not saying it isn't worth it all
| things considered). As a developer I'm quite used to
| having to pay attention to details already - one typo can
| be disastrous and there might be no warning (you might
| say but that is what a proper CI process is for and
| testing but what if that typo is in the CI process or
| tests?)
| janto wrote:
| This looks more like a mess that would happen if S3 buckets
| _by default_ were accessible to anyone with an Amazon
| account. Which would clearly be a colossal mistake made by
| the platform.
| dennisblue wrote:
| ITT we blame a software company for the sham practices and
| requirements of intelligence agencies.
|
| Yes in any responsible system, there would be mandatory
| access controls and default access limits, but I can 100%
| guarantee you that the reason these systems don't have those
| (and the ones described by Snowden don't either) is because
| the intelligence agencies don't want them. They want it to be
| easy for their employees and contractors to break the pretend
| security that pretends to protect our privacy.
|
| Knowing this, it's infuriating they would point the finger at
| anyone else. Will someone please remind me why we even need
| intelligence agencies?
| ren_engineer wrote:
| sounds more like a feature than a bug, Palantir can blame the
| FBI, FBI can blame Palantir. FBI really just wants the ability
| to access data they want
| nxpnsv wrote:
| This sounds a lot like "you're holding it wrong"...
| adolph wrote:
| Reference for the younguns:
|
| https://youtu.be/b9eXYOA8TCk?t=117
| AtlasBarfed wrote:
| Built-in bypasses to protections of your freedoms and security
| theatre that allegedly protects them:
|
| FUNCTIONING AS DESIGNED
|
| Yeah, the headline of the article immediately brought to mind
| an IT system built by a data-hoovering oversight-averse FBI
| funded to self-develop a system to protect that data and
| enforce oversight would not... quite... close the loop.
| qeternity wrote:
| What do you mean the vault was robbed? We put an "Authorized
| Personnel Only" sign out front.
| leroy_masochist wrote:
| It looks like Palantir is blaming FBI's mismanagement of ACLs as
| the root cause of what happened here.
| 1MachineElf wrote:
| The relationship must be very strained already if they are
| publicly blaming each other. Customers always blame their
| vendors. On the Palantir side, their account/product managers
| should be asking whether or not their ACL config is
| sufficiently intuitive. If this mistake was easy for a customer
| to make, if it's a mistake that couldn't have been avoided
| without consultancy, then Palantir should treat it like a
| defect.
| mcguire wrote:
| Ultimately, that's why the customer is paying the vendor.
| verall wrote:
| It's because the FBI doesn't have any leverage to threaten
| palantir for passing the blame. "Government agency is
| incompetent" is a very potent narrative that blocks the usual
| expectation that cloud products should be difficult to use
| insecurely.
|
| Complaining publicly has no downsides for palantir here.
| yasp wrote:
| Palantir can host its products on-prem, and for the FBI
| very well might have. But where it was hosted wouldn't have
| any relevance here.
| ErikVandeWater wrote:
| > "Government agency is incompetent" is a very potent
| narrative that blocks the usual expectation that cloud
| products should be difficult to use insecurely.
|
| Whether the government purchased a defective product that
| was insecure or misused a good product, the government
| should be held to account for the failure, same as with any
| company.
| A4ET8a8uTh0 wrote:
| Their leverage is contract. Palantir's position as vendor
| of choice is kinda limited right now. They don't seem to
| service regular corps in US.
|
| The complaint can have a real ramifications ( loss of
| future contracts and so on ). That said, at certain point
| enough is enough I suppose.
| theknocker wrote:
| The FBI is incompetent. The FBI is so incompetent that it
| sufficiently explains the phenomena, and the burden of
| proof is on the FBI to prove their explanation instead.
| sfvisser wrote:
| Could as well be. Properly managing access controls for a
| complicated data platform might actually be harder than
| securing the software to begin with. Setting up protocols for
| who is able to access what and why and who is in charge of
| changing the config is non-trivial.
| yasp wrote:
| FBI throwing its vendor under the bus due their own incompetence.
| edoceo wrote:
| SOP for government
| mcguire wrote:
| The vendor is claiming the FBI didn't use the product
| correctly.
| dylan604 wrote:
| the person you posted said that the FBI blamed the vendor
| becaues of the FBI's incompetence. so why did you feel the
| need to say the same thing worded differently?
| mcguire wrote:
| They are pointing fingers at each other and we have no idea
| how valid each claim is.
| legerdemain wrote:
| People quoting Palantir's CYA response are missing the fact that
| Palantir's business model is to embed engineers at customer sites
| to deploy, configure, and operate their software. There is a good
| chance that the software was misconfigured because Palantir post-
| sales engineers misconfigured it.
| Dopameaner wrote:
| The hacker had some interesting experiences
|
| > Griffith is accused of violating international sanctions by
| traveling to North Korea and delivering a speech about
| cryptocurrency.
|
| > He is charged with helping North Korea circumvent sanctions
| through the use of crypto.
| mellavora wrote:
| No, no, the article is true!
|
| the glitch is that we allow companies like Palantir to exist.
| boredumb wrote:
| government is a blunder machine and software is built with bad
| defaults?
| TaupeRanger wrote:
| "glitch" /= user error
| rurp wrote:
| I don't understand, this seems like a config issue rather than a
| software "glitch". Maybe the software has bad defaults, but
| that's something the consumer should figure out up front, not
| years into using it.
| ChrisKnott wrote:
| I don't really understand exactly what the FBI breached here...?
|
| They uploaded (AFAICT, lawfully obtained) evidence into their
| FBI-wide system, then it appeared in search results legitimately
| because there was a crossover with another investigation.
|
| The whole point of criminal intelligence systems is to reveal
| these kinds of unexpected links isn't it?
|
| Does the warrant get granted with some kind of limitations on how
| the material can be used or who can review it?
|
| Obviously, they have done something wrong as they have apparently
| felt the need to send a mea culpa to the court, but I don't
| really see what it is.
| slim wrote:
| No one asked why other fbi agents accessed his data ? Maybe those
| fbi agents were cia snitches ? :) Maybe it's a feature not a
| glitch
___________________________________________________________________
(page generated 2021-08-26 23:01 UTC)